Cisco IPSec VPN – IOS site-to-site Virtual Tunnel Interface VTI

Cisco IPSec VPN tunnels on Cisco IOS routers secures endpoints by forming a tunnel and encrypting the traffic within. Setting up these site to site VPNs can be cumbersome and often involves setting up complicated matching crypto maps on both end devices. Changing one end’s encryption domain requires a modifying ACLs on both ends of the tunnel.

GRE tunnels on the other hand doesn’t require that as all you need to do is point the routes to the GRE tunnel endpoints on both ends and traffic will magically route through. However the downside is GRE tunnel is not as secure and does not have encryption.

What if I tell you that you can combine the best of both worlds? Introducing Cisco VTI – Virtual tunnel interface with IPSEC encryption! Essentially much like the GRE tunnel, you can setup tunnel interfaces on your routers and have it encrypt with your favorite FIPS compliant encryption algorithm! Here’s how you do it:

Step1. Create a PHASE 1 isakmp policy on both ends and put in the remote router IP address along with the pre-shared secret key.

Step4. Simply add a route for the destination you like to reach and a corresponding route other end to the tunnel interface and the router will automatically encrypt them!

ip route 192.168.2.0 255.255.255.0 tunnel 0

Tip: If you wish to create multiple tunnels, simply create another tunnel interface with a different ip subnet range and define a new isakmp key with a different address. If you want to create multiple tunnels with the same key simple use 0.0.0.0 0.0.0.0 as the address and it would accept phase1 negotiations from any source address.